On Thu, Feb 02, 2017 at 05:41:19PM -0800, Owen DeLong wrote: > > On Feb 1, 2017, at 00:48 , Job Snijders <[email protected]> wrote: > > On Tue, Jan 31, 2017 at 06:41:39PM -0800, Owen DeLong wrote: > >> RPKI doesn’t secure BGP. > >> > >> All it does is provide a cryptographically signed mechanism by which > >> you can suggest what ASN should be forged as the origin of a route that > >> you want to hijack. > > > > That feels like a misconstrued statement. > > > > You highlight a subset of RPKI: a feature that are commonly > > available today. There is potentially far more that can be done with > > the RPKI, such as the distribution and validation of router > > certificates, manifests and other statements related to network > > management. > > > > The RPKI stands for "Resource Public Key Infrastructure", it is a > > public key infrastructure framework of which you currently only see > > one application. > > > > It is important in this discussion to recognise the value and potential > > of the RPKI. > > Does any RIR or any other place have even a specification for those > other purposes, let alone actual implementation?
As recent as January 18th, 2017 the IESG approved the "BGPsec Protocol Specification" to be published as Standards Track RFC. The announcement can be read here: https://www.ietf.org/mail-archive/web/ietf-announce/current/msg16252.html And for those of us who possess technical prowess, perhaps the actual specification might be of interest: https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-protocol-22 BGPsec relies on the Resource Public Key Infrastructure (RPKI) certificates that attest to the allocation of AS number and IP address resources. Any BGPsec speaker who wishes to send, to external (eBGP) peers, BGP update messages containing the BGPsec_Path needs to possess a private key associated with an RPKI router certificate that corresponds to the BGPsec speaker's AS number. Note, however, that a BGPsec speaker does not need such a certificate in order to validate received update messages containing the BGPsec_Path attribute. However, the organisation wishing to validate these updates will need access to the ARIN TAL. > If not, then I stand by my statement as regards the current state of > the RPKI. Please keep in mind that this thread was about removing barriers, to enable RPKI innovation. Kind regards, Job _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List ([email protected]). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/arin-ppml Please contact [email protected] if you experience any issues.
